Tuesday, October 30, 2012

Linux and Forensic Tools


Included Forensic Tools
Linux comes with a number of simple utilities that make imaging and basic analysis of suspect disk and drives
comparatively easy, These Tools include:
*dd -command used to copy from an input file or device to an output file or device. simple bitstream imaging.
*sfdisk and fdisk -used to determine the disk structure.
*gref -search files (or multiple files)for intances of an expression or patten.
*The loop device -allows you to associate regular files with device nodes, This will then allow you to mount
a bitstream image without having to rewrite the image to a disk.
*md5sum and sha1sum -create and store an MD5 or SHA hast of a file or list of files (including devices)
*file-reads a file's header information in an attempt to ascretain its type, regardless of name or extension.
*xxd -command line hexdump tool, For viewing a file in hex mode.
           Following is a a very simple series of steps to allow you to perform easy practice analysis
 using the simple Linux tools mentioned above.All of the commands can be further explored with
 "man command". For simplicity we are going to use a floppy with a FAT file system. Again,
 this is just an introduction to the basic commands. These steps can be far powerful with some
 command line tweaking.


example file the wish to identify :




Once you download the floppy image, put a blank floppy disk in your drive and create the practice
floppy with the following command(covered in detail later):

root@bt:~# dd if=practical.floppy.dd of=/dev/fd0
2880+0 records in
2880+0 records out
1474560 bytes (1.5 MB) copied, 0.337022 s, 4.4 MB/s
root@bt:~# md5sum /dev/fd0
2f4791784e2af37cf196e6a72cc79d99  /dev/fd0

One way organizing your data would be to create a directory in your "home" directory for evidence
and then a subdirectory for different cases. since we will be executing these commands as root,
the home directory is /root:
root@bt:~# mkdir ~/evid/
mkdir: cannot create directory `/root/evid/': File exists


An additonal step you might want to take is to create a special mount poin for all subject file
system analysis. this is a another way of separating common system use with evidence processing:

root@bt:~# mkdir /mnt/analysis/
mkdir: cannot create directory `/mnt/analysis/': File exists


There are two simple tools available for determining the structure of a disk attached to your system.
The first,fdisk, we discussed earlier using the -l option. Replace the "x" with the letter of the drive
that corresponds to the subject drive. For example, if our subject disk is attached on the secondary IDE
channel as the master disk, it will be seen as /dev/hdc. A serial ATA (SATA) disk will be /dev/sda(or sdb,etc.)
We can get the partition information on that disk with:

root@bt:~# fdisk -l /dev/hdc
root@bt:~# fdisk -l /dev/sda
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xe23b2a65

   Device Boot      Start         End      Blocks   Id  System
/dev/sda3               1       10707    86003946    7  HPFS/NTFS
/dev/sda4           19467       60802   332018689    f  W95 Ext'd (LBA)
/dev/sda5           19467       25841    51200984+   7  HPFS/NTFS
/dev/sda6           25880       34293    67585423+   7  HPFS/NTFS
/dev/sda7           34294       40004    45873576    7  HPFS/NTFS
/dev/sda8           40005       40251     1983996   82  Linux swap / Solaris
/dev/sda9           40252       60801   165067843+  83  Linux
root@bt:~# fdisk -l /dev/sda3

Disk /dev/sda3: 88.1 GB, 88068040704 bytes
255 heads, 63 sectors/track, 10706 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x6e697373

This doesn't look like a partition table
Probably you selected the wrong device.

     Device Boot      Start         End      Blocks   Id  System
/dev/sda3p1   ?      120528      234814   918008208   4f  QNX4.x 3rd part
Partition 1 does not end on cylinder boundary.
/dev/sda3p2   ?      119381      153271   272218546+  73  Unknown
Partition 2 does not end on cylinder boundary.
/dev/sda3p3   ?      113202      147075   272087568   2b  Unknown
Partition 3 does not end on cylinder boundary.
/dev/sda3p4   ?      177064      177067       27487   61  SpeedStor
Partition 4 does not end on cylinder boundary.
Partition table entries are not in disk order

We can redirect the output of this command to a file for later use by issuing the command as:
root@bt:~# fdisk -l /dev/sda3 > ~/evid/fdisk.disk1
A couple of things to note here: The name of the output file (fdisk.disk1) is completely arbitrary.
root@bt:~# fdisk -l /dev/sda3 > ~/evid/fdisk.disk1
root@bt:~# fdisk -l /dev/sda3 > ~/evid/fdisk.disk1


Make an image of the practice disk using basic dd. this is your standard forensic image of a suspect disk.
Change to and execute the command from within the /root/evid/ directory:

root@bt:~# cd ~/evid/
root@bt:~/evid# dd if=/dev/sda3 of=image.disk1  bs=512
^C24834529+0 records in
24834529+0 records out
12715278848 bytes (13 GB) copied, 557.744 s, 22.8 MB/s

root@bt:~/evid# fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xe23b2a65

   Device Boot      Start         End      Blocks   Id  System
/dev/sda3               1       10707    86003946    7  HPFS/NTFS
/dev/sda4           19467       60802   332018689    f  W95 Ext'd (LBA)
/dev/sda5           19467       25841    51200984+   7  HPFS/NTFS
/dev/sda6           25880       34293    67585423+   7  HPFS/NTFS
/dev/sda7           34294       40004    45873576    7  HPFS/NTFS
/dev/sda8           40005       40251     1983996   82  Linux swap / Solaris
/dev/sda9           40252       60801   165067843+  83  Linux
Note: sector size is 2048 (not 512)

Disk /dev/sdb: 1047 MB, 1047263232 bytes
33 heads, 61 sectors/track, 254 cylinders
Units = cylinders of 2013 * 2048 = 4122624 bytes
Sector size (logical/physical): 2048 bytes / 2048 bytes
I/O size (minimum/optimal): 2048 bytes / 2048 bytes
Disk identifier: 0x6f20736b

This doesn't look like a partition table
Probably you selected the wrong device.

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   ?      386556      953625  2283019262   72  Unknown
Partition 1 has different physical/logical beginnings (non-Linux?):
     phys=(357, 116, 40) logical=(386555, 11, 23)
Partition 1 has different physical/logical endings:
     phys=(357, 32, 45) logical=(953624, 6, 61)
Partition 1 does not end on cylinder boundary.
/dev/sdb2   ?       83801     1045563  3872056480   65  Novell Netware 386
Partition 2 has different physical/logical beginnings (non-Linux?):
     phys=(288, 115, 43) logical=(83800, 2, 1)
Partition 2 has different physical/logical endings:
     phys=(367, 114, 50) logical=(1045562, 23, 53)
Partition 2 does not end on cylinder boundary.
Partition 2 does not start on physical sector boundary.
/dev/sdb3   ?      928903     1890666  3872056384   79  Unknown
Partition 3 has different physical/logical beginnings (non-Linux?):
     phys=(366, 32, 33) logical=(928902, 28, 32)
Partition 3 has different physical/logical endings:
     phys=(357, 32, 43) logical=(1890665, 16, 36)
Partition 3 does not end on cylinder boundary.
Partition 3 does not start on physical sector boundary.
/dev/sdb4   ?     1433523     1433551      110998    d  Unknown
Partition 4 has different physical/logical beginnings (non-Linux?):
     phys=(372, 97, 50) logical=(1433522, 22, 25)
Partition 4 has different physical/logical endings:
     phys=(0, 10, 0) logical=(1433550, 8, 13)
Partition 4 does not end on cylinder boundary.
Partition table entries are not in disk order

root@bt:~/evid# fdisk -l /dev/sdb
Note: sector size is 2048 (not 512)
Disk /dev/sdb: 1047 MB, 1047263232 bytes
33 heads, 61 sectors/track, 254 cylinders
Units = cylinders of 2013 * 2048 = 4122624 bytes
Sector size (logical/physical): 2048 bytes / 2048 bytes
I/O size (minimum/optimal): 2048 bytes / 2048 bytes
Disk identifier: 0x6f20736b
This doesn't look like a partition table
Probably you selected the wrong device.
 Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   ?      386556      953625  2283019262   72  Unknown
Partition 1 has different physical/logical beginnings (non-Linux?):
     phys=(357, 116, 40) logical=(386555, 11, 23)
Partition 1 has different physical/logical endings:
     phys=(357, 32, 45) logical=(953624, 6, 61)
Partition 1 does not end on cylinder boundary.
/dev/sdb2   ?       83801     1045563  3872056480   65  Novell Netware 386
Partition 2 has different physical/logical beginnings (non-Linux?):
     phys=(288, 115, 43) logical=(83800, 2, 1)
Partition 2 has different physical/logical endings:
     phys=(367, 114, 50) logical=(1045562, 23, 53)
Partition 2 does not end on cylinder boundary.
Partition 2 does not start on physical sector boundary.
/dev/sdb3   ?      928903     1890666  3872056384   79  Unknown
Partition 3 has different physical/logical beginnings (non-Linux?):
     phys=(366, 32, 33) logical=(928902, 28, 32)
Partition 3 has different physical/logical endings:
     phys=(357, 32, 43) logical=(1890665, 16, 36)
Partition 3 does not end on cylinder boundary.
Partition 3 does not start on physical sector boundary.
/dev/sdb4   ?     1433523     1433551      110998    d  Unknown
Partition 4 has different physical/logical beginnings (non-Linux?):
     phys=(372, 97, 50) logical=(1433522, 22, 25)
Partition 4 has different physical/logical endings:
     phys=(0, 10, 0) logical=(1433550, 8, 13)
Partition 4 does not end on cylinder boundary.
Partition table entries are not in disk order

root@bt:~/evid# dd if=/dev/sdb of=image.disk1  bs=512
2045436+0 records in
2045436+0 records out
1047263232 bytes (1.0 GB) copied, 103.362 s, 10.1 MB/s
root@bt:~/evid# md5sum /dev/sdb
044144780d449a3af7cd3a01b84c5099  /dev/sdb
root@bt:~/evid# dd if=/dev/sdb of=image.disk2  bs=512
2045436+0 records in
2045436+0 records out
1047263232 bytes (1.0 GB) copied, 103.264 s, 10.1 MB/s
root@bt:~/evid# md5sum /dev/sdb
044144780d449a3af7cd3a01b84c5099  /dev/sdb
root@bt:~/evid# md5sum image.disk2
044144780d449a3af7cd3a01b84c5099  image.disk2
root@bt:~/evid# mount -t vfat -o ro,noexec,loop image.disk2 /mnt/analysis
root@bt:~/evid# umount /mnt/analysis
root@bt:~/evid# sha1sum /dev/fd0
f5ee9cf56f23e5f5773e2a4854360404a62015cf  /dev/fd0

root@bt:~/evid# sha1sum /dev/sdb
a00f3b85b348befb2e4876135b2b4449476b4e0f  /dev/sdb
root@bt:~/evid# sha1sum /dev/sdb > sha.disk1
root@bt:~/evid# mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis
root@bt:~/evid# cd /mnt/analysis/
root@bt:/mnt/analysis# find . -type f -exec sha1sum {} \; > ~/evid/sha.filelist
root@bt:/mnt/analysis# cat /root/evid/sha.filelist
86082e288fea4a0f5c5ed3c7c40b3e7947afec11  ./Docs/Benchmarks.xls
81e62f9f73633e85b91e7064655b0ed190228108  ./Docs/Computer_Build.xml
0950fb83dd03714d0c15622fa4c5efe719869e48  ./Docs/Law.doc
7a1d5170911a87a74ffff8569f85861bc2d2462d  ./Docs/whyhack
63ddc7bca46f08caa51e1d64a12885e1b4c33cc9  ./Pics/C800x600.jpg
8844614b5c2f90fd9df6f8c8766109573ae1b923  ./Pics/bike2.jpg
4cf18c44023c05fad0de98ed6b669dc4645f130b  ./Pics/bike3.jpg
aeb0151e67ff4dd5c00a19ee351801b5a6f11438  ./Pics/matrixs3.jpg
d252ac06995c1a6215ca5e7df7c3e02c79c24488  ./Pics/mulewheelie.gif
f6f8586eefb5f163eac2bd8ec09053d70cae000e  ./Pics/Stoppie.gif
49f0405267a653bac165795ee2f8d934fb1650a9  ./ARP.EXE
9a886c8e8ad376fc53d6398cdcf8aab9e93eda27  ./FTP.EXE
4c703ee9802aa110b0673d7ae80468e6418bf74c  ./loveletter.virus
7191c24f0f15cca6a5ef9a4db0aee7b40789d6c0  ./ouchy.dat
6666d9b50508360f4a2362e7fd74c91fcb68d2e8  ./snoof.gz

root@bt:/mnt/analysis# sha1sum -c /root/evid/sha.disk1
/dev/sdb: OK
root@bt:/mnt/analysis# sha1sum -c /root/evid/sha.filelist
./Docs/Benchmarks.xls: OK
./Docs/Computer_Build.xml: OK
./Docs/Law.doc: OK
./Docs/whyhack: OK
./Pics/C800x600.jpg: OK
./Pics/bike2.jpg: OK
./Pics/bike3.jpg: OK
./Pics/matrixs3.jpg: OK
./Pics/mulewheelie.gif: OK
./Pics/Stoppie.gif: OK
./ARP.EXE: OK
./FTP.EXE: OK
./loveletter.virus: OK
./ouchy.dat: OK
./snoof.gz: OK

root@bt:/mnt/analysis# ls -al
.:
total 118
drwxr-xr-x 4 root root  7168 1970-01-01 07:00 .
drwxr-xr-x 3 root root  4096 2012-10-29 19:10 ..
-rwxr-xr-x 1 root root 19536 1996-08-24 11:11 ARP.EXE
drwxr-xr-x 3 root root   512 2000-09-23 15:21 Docs
-rwxr-xr-x 1 root root 37520 1996-08-24 11:11 FTP.EXE
-r-xr-xr-x 1 root root 16161 2000-09-21 07:46 loveletter.virus
-rwxr-xr-x 1 root root 21271 2000-03-19 19:00 ouchy.dat
drwxr-xr-x 2 root root   512 2000-09-23 15:21 Pics
-rwxr-xr-x 1 root root 12384 2000-08-02 07:43 snoof.gz

root@bt:ls -alR | less
drwxr-xr-x 2 root root   512 2000-09-23 15:21 Private
-rwxr-xr-x 1 root root  3928 2000-09-21 07:45 whyhack
./Docs/Private:
total 1
drwxr-xr-x 2 root root 512 2000-09-23 15:21 .
drwxr-xr-x 3 root root 512 2000-09-23 15:21 ..
./Pics:
total 1138
drwxr-xr-x 2 root root    512 2000-09-23 15:21 .
drwxr-xr-x 4 root root   7168 1970-01-01 07:00 ..
-rwxr-xr-x 1 root root 183654 2000-09-21 07:45 bike2.jpg
-rwxr-xr-x 1 root root 187598 2000-09-21 07:45 bike3.jpg
-rwxr-xr-x 1 root root  94426 2000-03-19 19:00 C800x600.jpg
-rwxr-xr-x 1 root root  27990 2000-09-21 07:45 matrixs3.jpg
-rwxr-xr-x 1 root root 418582 2000-09-21 07:45 mulewheelie.gif
-rwxr-xr-x 1 root root 243245 2000-09-21 07:45 Stoppie.gif

root@bt:/mnt/analysis# ls -laiRtu > ~/evid/access_file.list
root@bt:/mnt/analysis# find . -type f > ~/evid/file.list.2
root@bt:/mnt/analysis# tree
.
├── ARP.EXE
├── Docs
│   ├── Benchmarks.xls
│   ├── Computer_Build.xml
│   ├── Law.doc
│   ├── Private
│   └── whyhack
├── FTP.EXE
├── loveletter.virus
├── ouchy.dat
├── Pics
│   ├── bike2.jpg
│   ├── bike3.jpg
│   ├── C800x600.jpg
│   ├── matrixs3.jpg
│   ├── mulewheelie.gif
│   └── Stoppie.gif
└── snoof.gz

3 directories, 15 files

root@bt:/mnt/analysis# grep -i jpg ~/evid/file.list.2
./Pics/C800x600.jpg
./Pics/bike2.jpg
./Pics/bike3.jpg
./Pics/matrixs3.jpg

root@bt:/mnt/analysis# find . -type f -exec file {} \; > ~/evid/filetype.list
root@bt:/mnt/analysis# cat ~/evid/filetype.list
./Docs/Benchmarks.xls: CDF V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Author: Barry J. Grundy, Last Saved By: Barry J. Grundy, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jan  8 19:53:35 1999, Security: 0
./Docs/Computer_Build.xml: gzip compressed data, from Unix
./Docs/Law.doc: CDF V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Title: The Long Arm of the Law, Author: OAG, Template: Normal.dot, Last Saved By: OAG, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Total Editing Time: 01:00, Create Time/Date: Wed Sep 20 12:16:00 2000, Last Saved Time/Date: Wed Sep 20 12:16:00 2000, Number of Pages: 1, Number of Words: 1335, Number of Characters: 7610, Security: 0
./Docs/whyhack: ASCII English text, with very long lines, with CRLF, LF line terminators
./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02
./Pics/bike2.jpg: PC bitmap, Windows 3.x format, 300 x 204 x 24
./Pics/bike3.jpg: PC bitmap, Windows 3.x format, 317 x 197 x 24
./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01
./Pics/mulewheelie.gif: PC bitmap, Windows 3.x format, 425 x 328 x 24
./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693
./ARP.EXE: PE32 executable for MS Windows (console) Intel 80386 32-bit
./FTP.EXE: PE32 executable for MS Windows (console) Intel 80386 32-bit
./loveletter.virus: ASCII English text
./ouchy.dat: JPEG image data, JFIF standard 1.02
./snoof.gz: gzip compressed data, from Unix, last modified: Thu Feb 11 03:04:46 1999

root@bt:/mnt/analysis# grep image ~/evid/filetype.list
./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02
./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01
./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693
./ouchy.dat: JPEG image data, JFIF standard 1.02

root@bt:strings arp.exe | less
 l|}
<-t8</t4
t]Ph
t2Ph '
Ph!'
@SVW
wR9U
wM9U
wH9U
SVWj
)h|I
L$ 3
L$ 3
u!Wj
L$ 3
\VSW
KERNEL32.dll
CharToOemA
USER32.dll
%u.%u.%u.%u
-%02x
%02x
%2x-%2x-%2x-%2x-%2x-%2x
SnmpExtensionQuery
SnmpExtensionInit
inetmib1.dll
%1: bad IP address: %2
%1: bad argument: %2
Interface: %1
  Internet Address      Physical Address      Type
%1: not enough memory
other%0
invalid%0
dynamic%0
static%0
%1: Windows Sockets initialization failed: %2!d!
%1: can't load DLL: %2, error = %3!d!
%1: DLL error %3!d! in %2
The specified entry was not found
  %1!-20s!  %2!-20s!  %3!-10s!
The interface failed to initialize: %1!u!
Unable to retrieve ARP information: %1!u!
The ARP entry addition failed: %1!u!
The ARP entry deletion failed: %1!u!
No ARP Entries Found
151J1Q1v3
7+8}8
>B>`>w>
#0a0
0d1w1
2*222L2
3r3y3
4(4.4
5$5+52595@5G5N5U5\5
6&8-8B8I8[8b8q8u8y8}8
:#:':+:/:3:7:;:?:C:G:K:O:S:W:[:_:c:g:k:o:
<e=i=m=q=u=y=}=
0f2/33373;3?3C3G3K3O3S3\7a7g7t7
7 8&8,82888>8D8J8P8V8\8b8h8D9J9P9V9

root@bt:~# umount /mnt/analysis
umount: /mnt/analysis: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))

root@bt:~/evid# nano /root/evid/searchlist.txt/hits.txt
root@bt:~/evid# ls -l
total 1024192
-rw-r--r-- 1 root root       1630 2012-10-30 21:51 access_file.list
-rw-r--r-- 1 root root        927 2012-10-30 20:28 fdisk.disk1
-rw-r--r-- 1 root root        256 2012-10-30 21:52 file.list.2
-rw-r--r-- 1 root root       1544 2012-10-30 21:57 filetype.list
-r--r--r-- 1 root root    1474560 2012-10-30 21:06 image.disk1
-rw-r--r-- 1 root root 1047263232 2012-10-30 21:15 image.disk2
drwxr-xr-x 2 root root       4096 2012-10-30 20:00 searchlist.txt
-rw-r--r-- 1 root root         51 2012-10-30 21:32 sha.disk1
-rw-r--r-- 1 root root        886 2012-10-30 21:35 sha.filelist
root@bt:~/evid# nano searchlist


root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt

root@bt:~/evid# cat hits.txt

8983:�*�J�j��������ADocs`����������������DOCS       ��z7)7)�z7)APics`����������������PICS       ��z7)7)�z7)vARP     EXE ��z7)7)eY▒!K    PLFTP     EXE $�z7)7)eY▒!r      ��Brus�������������������lovel�etter.viLOVELE~1VIR��z7)7)�=5)�  !?Aouchy�.dat������OUCHY   DAT ��z7)7)▒�s(�     SAsnoof�.gz��������SNOOF   GZ  ��z7)7)s=)
39284:Ninth Circuit Strikes Federal �Virtual� Child Pornography Law on First Amendment Grounds
                      INCLUDEPICTURE  \d "/images/design/5x5.gif"

                                                                INCLUDEPICTURE  \d "/images/design/5x5.gif"
                                  INCLUDEPICTURE  \d "/images/design/5x5.gif"
    INCLUDEPICTURE  \d "/images/design/5x5.gif"
                                              HYPERLINK "mailto:info@lawnewsnetwork.com"mailto:info@lawnewsnetwork.com
                                              HYPERLINK "http://www.almdc.com/"Criminal Justice Weekly
                               December 21, 1999
                                                 INCLUDEPICTURE  \d "/images/design/5x5.gif"
                   INCLUDEPICTURE  \d "/images/design/line2.gif"
                                                               INCLUDEPIThe First Amendment prohibits Congress from enacting a statute criminalizing the generation of computer images of fictitious children engaged in imaginary but explicit sexual conduct, the U.S. Court of Appeals for the Ninth Circuit held Dec. 17, widening a split in the circuits. Specifically, the court struck certain language in the Child Pornography Prevention Act of 1996, 18 U.S.C. �2256, prohibiting a "visual depiction" that "is, or appears to be, of a minor engaging in sexually explicit conduct," and advertising or promotion of such images, as unconstitutionally vague and overbroad, language which was found last month to be constitutional by the Eleventh Circuit in U.S. v. Acheson, 11th Cir., No. 98-3559, Story, J., 11/12/99 (Free Speech Coalition v. Reno, 9th Cir., No. 97-1653Section 2256(8) defines child pornography as "any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct[.]" At issue in the appeal were the definitions contained in subsections (B) and (D). Section 2256(8)(B) bans sexually explicit depictions that appear to be minors. Section 2256(8)(D) bans visual depictions that are "advertised, promoted, presented, described or distributed in such a manner that conveys the imThe plaintiffs were a group of adult-oriented businesses and erotic artists who withheld or stopped distributing certain artistic works out of fear of prosecution under the 1996 amendments. The district court found that the plaintiffs had standing to bring their First Amendment challenge, and the government did not contest that finding on appeal. The district court granted summary judgment in favor of the government on the First Amendment issues, however. On appeal, the plaintiffs argue that where the statute fails to define "appears to be" and "conveys the impression," it is so vague a person of ordinary intelligence cannot understand whatThe Ninth Circuit, in an opinion by U.S. District Judge Donald W. Molloy (D. Mont.), sitting by designation, agreed on that point, while holding most of the statute still passes constitutional muster. However, it did not hold, as the dissent claimed, that the First Amendment protects all computer-generated imaginary images of child pornography. "Because the statute is severable, our holding demonstrates that if morphed computer images are of an identifiable child, the statute is enforceable because there is then the potential harm to a real child."
CONTENT DISCRIMINATION
844548426:         <dc:format>image/jpeg</dc:format>
845713864:         <dc:format>image/jpeg</dc:format>
846648084:         <dc:format>image/jpeg</dc:format>
Project managers may still need to break the rules to meet project goals, and senior managers must support those actions�T�
853499180:��▒�Rectangle 3������
Business Service Management (BSM) tools track the execution of business process flows�ZRd information
853567991:Concourse
                   1_Concourse
                              2_Concourse
                                         3_Concourse
                                                    4_Concourse
                                                               5_Concourse
                                                                          6_Concourse
                                                                                     7_Concourse
                                                                                                8_Concourse
                                                                                                           9_Concourse*Chapter 4: Project Integration ManagementLearning Objectives Learning Objectives (continued) Learning Objectives (continued)HThe Key to Overall Project Success: Good Project Integration Management)Project Integration Management Processes5Project Integration Management Processes (continued)3Figure 4-1. Project Integration Management SummaryWhat Went Wrong?)Strategic Planning and Project SelectionLFigure 4-2. Mind Map of a SWOT Analysis to Help Identify Potential Projects4Figure 4-3. Information Technology Planning ProcessBest PracticeMethods for Selecting Projects'Focusing on Broad Organizational NeedsCategorizing IT ProjectsFinancial Analysis of Projectset Present Value Analysis&Figure 4-4. Net Present Value Example'Figure 4-5. JWD Consulting NPV ExampleNPV CalculationsReturn on InvestmentPayback Analysis(Figure 4-6. Charting the Payback PeriodWeighted Scoring Model@Figure 4-7. Sample Weighted Scoring Model for Project Selection"Implementing a Balanced Scorecard'Figure 4-8. Balanced Scorecard ExampleProject ChartersXTable 4-1. Contoh Project Charter for the DNA-Sequencing Instrument Completion Project Table 4-1. Charter (continued)Project Management Plans-Common Elements of a Project Management PlanITable 4-2. Sample Contents for a Software Project Management Plan (SPMP)What the Winners DoProject Execution$Coordinating Planning and Execution.Providing Leadership and a Supportive Culture'Important Skills for Project Execution'Project Execution Tools and Techniques(Monitoring and Controlling Project WorkMedia Snapshot▒Integrated Change Control2Change Control on Information Technology ProjectsChange Control Systemhange Control Board (CCB)Making Timely ChangesConfiguration Management@Table 4-3. Suggestions for Performing Integrated Change ControlClosing Projects and Phases;Using Software to Assist in Project Integration ManagementChapter Summary

                                                                                                                     Fonts UseTheme
root@bt: ~/evid: xxd -s 75441 image.disk1 | less

00126b1: 796f 7520 616e 6420 796f 7572 2065 6e74  you and your ent
00126c1: 6972 6520 6275 7369 6e65 7373 2072 616e  ire business ran
00126d1: 736f 6d2e 0a0a 5468 6973 2069 7320 6e6f  som...This is no
00126e1: 7420 6120 6a6f 6b65 2e0a 0a49 2068 6176  t a joke...I hav
00126f1: 6520 6861 6420 656e 6f75 6768 206f 6620  e had enough of 
0012701: 796f 7572 206d 696e 646c 6573 7320 636f  your mindless co
0012711: 7270 6f72 6174 6520 7069 7261 6379 2061  rporate piracy a
0012721: 6e64 2077 696c 6c20 6e6f 206c 6f6e 6765  nd will no longe
0012731: 7220 7374 616e 6420 666f 7220 6974 2e20  r stand for it. 
0012741: 596f 7520 7769 6c6c 2072 6563 6965 7665  You will recieve
0012751: 2061 6e6f 7468 6572 206c 6574 7465 7220   another letter 
0012761: 6e65 7874 2077 6565 6b2e 2020 4974 2077  next week.  It w
0012771: 696c 6c20 6861 7665 2061 2073 696e 676c  ill have a singl
0012781: 6520 6261 6e6b 2061 6363 6f75 6e74 206e  e bank account n
0012791: 756d 6265 7220 616e 6420 6261 6e6b 206e  umber and bank n
00127a1: 616d 652e 2020 4920 7761 6e74 2079 6f75  ame.  I want you
00127b1: 2074 6f20 6465 706f 7369 7420 2435 302c   to deposit $50,
00127c1: 3030 3020 696e 2074 6865 2061 6363 6f75  000 in the accou
00127d1: 6e74 2074 6865 2064 6179 2079 6f75 2072  nt the day you r
00127e1: 6563 6569 7665 2074 6865 206c 6574 7465  eceive the lette
00127f1: 722e 2020 0a0a 446f 6e27 7420 7472 7920  r.  ..Don't try 
0012801: 616e 7974 6869 6e67 2c20 616e 6420 646f  anything, and do
0012811: 6e74 2063 6f6e 7461 6374 2074 6865 2063  nt contact the c
0012821: 6f70 732e 2020 4966 2079 6f75 2064 6f2c  ops.  If you do,
0012831: 2049 2077 696c 6c20 756e 6c65 6173 6820   I will unleash 
0012841: 6120 7669 7275 7320 7468 6174 2077 696c  a virus that wil
0012851: 6c20 6272 696e 6720 646f 776e 2079 6f75  l bring down you
0012861: 7220 7768 6f6c 6520 6e65 7477 6f72 6b20  r whole network 
:continues....
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)